Skip to Main content Skip to Navigation
Journal articles

Malware Guard Extension: abusing Intel SGX to conceal cache attacks

Abstract : In modern computer systems, user processes are isolated from each other by the operating system and the hardware. Additionally, in a cloud scenario it is crucial that the hypervisor isolates tenants from other tenants that are co-located on the same physical machine. However, the hypervisor does not protect tenants against the cloud provider and thus, the supplied operating system and hardware. Intel SGX provides a mechanism that addresses this scenario. It aims at protecting user-level software from attacks from other processes, the operating system, and even physical attackers. In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works, although in SGX enclaves, there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96 % of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 min.
Document type :
Journal articles
Complete list of metadata

Cited literature [84 references]  Display  Hide  Download

https://hal.inria.fr/hal-02866628
Contributor : Clémentine Maurice <>
Submitted on : Friday, June 12, 2020 - 4:13:09 PM
Last modification on : Friday, May 7, 2021 - 3:04:03 PM

File

malware_guard_extension_journa...
Files produced by the author(s)

Identifiers

Citation

Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, Stefan Mangard. Malware Guard Extension: abusing Intel SGX to conceal cache attacks. Cybersecurity, SpringerOpen, 2020, 3 (1), ⟨10.1186/s42400-019-0042-y⟩. ⟨hal-02866628⟩

Share

Metrics

Record views

120

Files downloads

599